On 18.02.2017 13:21, Salvatore Bonaccorso wrote: [...] > No problem. Thanks for noticing, can you let us know as usual when you > have a debdiff ready for the regression update? > > I tend to see this as regression update for the previous DSA, so no > need for a new CVE id. But let me know if someone thinks otherwise and > I can followup with MITRE. > > Thanks for your coninous work,
I agree this is a regression update. Please find attached the debdiffs for Tomcat 7 and Tomcat 8. Regards, Markus
diff -Nru tomcat7-7.0.56/debian/changelog tomcat7-7.0.56/debian/changelog --- tomcat7-7.0.56/debian/changelog 2017-02-13 10:16:57.000000000 +0100 +++ tomcat7-7.0.56/debian/changelog 2017-02-18 19:16:13.000000000 +0100 @@ -1,3 +1,12 @@ +tomcat7 (7.0.56-3+deb8u9) jessie-security; urgency=high + + * Team upload. + * Add BZ57544-infinite-loop-part2.patch. + Fix regression due to an incomplete fix for CVE-2017-6056. + See #854551 for further information. + + -- Markus Koschany <[email protected]> Sat, 18 Feb 2017 19:16:13 +0100 + tomcat7 (7.0.56-3+deb8u8) jessie-security; urgency=high * Team upload. diff -Nru tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop-part2.patch tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop-part2.patch --- tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop-part2.patch 1970-01-01 01:00:00.000000000 +0100 +++ tomcat7-7.0.56/debian/patches/BZ57544-infinite-loop-part2.patch 2017-02-18 19:16:13.000000000 +0100 @@ -0,0 +1,29 @@ +From: Markus Koschany <[email protected]> +Date: Sat, 18 Feb 2017 19:15:02 +0100 +Subject: BZ57544-infinite-loop-part2 + +Fix 400 HTTP errors due to an incomplete fix for CVE-2017-6056. + +Bug-Debian: https://bugs.debian.org/854551 +Origin: https://github.com/apache/tomcat80/commit/534d62075f8c03cc3e77f301e53be53acdefd1c9 +--- + java/org/apache/coyote/http11/AbstractInputBuffer.java | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/java/org/apache/coyote/http11/AbstractInputBuffer.java b/java/org/apache/coyote/http11/AbstractInputBuffer.java +index a1251d6..ac56de1 100644 +--- a/java/org/apache/coyote/http11/AbstractInputBuffer.java ++++ b/java/org/apache/coyote/http11/AbstractInputBuffer.java +@@ -227,9 +227,10 @@ public abstract class AbstractInputBuffer<S> implements InputBuffer{ + // Copy leftover bytes to the beginning of the buffer + if (lastValid - pos > 0 && pos > 0) { + System.arraycopy(buf, pos, buf, 0, lastValid - pos); +- lastValid = lastValid - pos; +- pos = 0; + } ++ // Always reset pos to zero ++ lastValid = lastValid - pos; ++ pos = 0; + + // Recycle filters + for (int i = 0; i <= lastActiveFilter; i++) { diff -Nru tomcat7-7.0.56/debian/patches/series tomcat7-7.0.56/debian/patches/series --- tomcat7-7.0.56/debian/patches/series 2017-02-13 10:16:57.000000000 +0100 +++ tomcat7-7.0.56/debian/patches/series 2017-02-18 19:16:13.000000000 +0100 @@ -39,3 +39,4 @@ CVE-2016-8735.patch CVE-2016-8745.patch BZ57544-infinite-loop.patch +BZ57544-infinite-loop-part2.patch
diff -Nru tomcat8-8.0.14/debian/changelog tomcat8-8.0.14/debian/changelog --- tomcat8-8.0.14/debian/changelog 2017-02-13 09:34:43.000000000 +0000 +++ tomcat8-8.0.14/debian/changelog 2017-02-18 17:44:25.000000000 +0000 @@ -1,3 +1,12 @@ +tomcat8 (8.0.14-1+deb8u8) jessie-security; urgency=high + + * Team upload. + * Add BZ57544-infinite-loop-part2.patch. + Fix regression (400 HTTP errors) due to an incomplete fix for + CVE-2017-6056. See #854551 for further information. + + -- Markus Koschany <[email protected]> Sat, 18 Feb 2017 18:44:25 +0100 + tomcat8 (8.0.14-1+deb8u7) jessie-security; urgency=high * Team upload. diff -Nru tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop-part2.patch tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop-part2.patch --- tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop-part2.patch 1970-01-01 00:00:00.000000000 +0000 +++ tomcat8-8.0.14/debian/patches/BZ57544-infinite-loop-part2.patch 2017-02-18 17:44:25.000000000 +0000 @@ -0,0 +1,29 @@ +From: Markus Koschany <[email protected]> +Date: Sat, 18 Feb 2017 18:39:09 +0100 +Subject: BZ57544-infinite-loop-part2 + +Fix 400 HTTP errors due to an incomplete fix for CVE-2017-6056. + +Bug-Debian: https://bugs.debian.org/854551 +Origin: https://github.com/apache/tomcat80/commit/534d62075f8c03cc3e77f301e53be53acdefd1c9 +--- + java/org/apache/coyote/http11/AbstractInputBuffer.java | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/java/org/apache/coyote/http11/AbstractInputBuffer.java b/java/org/apache/coyote/http11/AbstractInputBuffer.java +index 2aef369..1fbeb27 100644 +--- a/java/org/apache/coyote/http11/AbstractInputBuffer.java ++++ b/java/org/apache/coyote/http11/AbstractInputBuffer.java +@@ -237,9 +237,10 @@ public abstract class AbstractInputBuffer<S> implements InputBuffer{ + // Copy leftover bytes to the beginning of the buffer + if (lastValid - pos > 0 && pos > 0) { + System.arraycopy(buf, pos, buf, 0, lastValid - pos); +- lastValid = lastValid - pos; +- pos = 0; + } ++ // Always reset pos to zero ++ lastValid = lastValid - pos; ++ pos = 0; + + // Recycle filters + for (int i = 0; i <= lastActiveFilter; i++) { diff -Nru tomcat8-8.0.14/debian/patches/series tomcat8-8.0.14/debian/patches/series --- tomcat8-8.0.14/debian/patches/series 2017-02-13 09:34:43.000000000 +0000 +++ tomcat8-8.0.14/debian/patches/series 2017-02-18 17:44:25.000000000 +0000 @@ -34,3 +34,4 @@ CVE-2016-8735.patch CVE-2016-8745.patch BZ57544-infinite-loop.patch +BZ57544-infinite-loop-part2.patch
signature.asc
Description: OpenPGP digital signature
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
